Adguardhome encryption: error address in use, but isn't

Hi together,

i’m running adguardhome for a long time and i want now activate encryption.

I’m just activated it and added domain name and certificates, the ports i left on the given one’s. When saving there is an error:

Error: control/tls/configure | starting forwarding dns server: could not reconfigure the server: configuring listeners: listening on tls addr 127.0.0.1:853: listen tcp 127.0.0.1:853: bind: address already in use | 500

Checking all ports: there is no port 853 in use, neither tcp nor udp

root@mirror:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1779/dropbear
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5806/uhttpd
tcp        0      0 127.0.0.1:9100          0.0.0.0:*               LISTEN      2350/uhttpd
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      5806/uhttpd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6450/AdGuardHome
tcp        0      0 127.0.0.1:54            0.0.0.0:*               LISTEN      5438/dnsmasq
tcp        0      0 192.168.7.135:54        0.0.0.0:*               LISTEN      5438/dnsmasq
tcp        0      0 192.168.10.1:54         0.0.0.0:*               LISTEN      5438/dnsmasq
tcp        0      0 192.168.1.1:3080        0.0.0.0:*               LISTEN      6450/AdGuardHome
tcp        0      0 192.168.1.1:54          0.0.0.0:*               LISTEN      5438/dnsmasq
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN      6450/AdGuardHome
tcp        0      0 :::53                   :::*                    LISTEN      6450/AdGuardHome
tcp        0      0 :::22                   :::*                    LISTEN      1779/dropbear
tcp        0      0 :::80                   :::*                    LISTEN      5806/uhttpd
tcp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                    LISTEN      5438/dnsmasq
tcp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                    LISTEN      5438/dnsmasq
tcp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                    LISTEN      5438/dnsmasq
tcp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                    LISTEN      5438/dnsmasq
tcp        0      0 :::8443                 :::*                    LISTEN      5806/uhttpd
tcp        0      0 ::1:54                  :::*                    LISTEN      5438/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      6450/AdGuardHome
tcp        0      0 fe80::58ef:68ff:fe0f:5750:54 :::*                    LISTEN      5438/dnsmasq
tcp        0      0 fd5a:22b8:bb40::1:54    :::*                    LISTEN      5438/dnsmasq
udp        0      0 192.168.1.1:53          0.0.0.0:*                           6450/AdGuardHome
udp        0      0 127.0.0.1:53            0.0.0.0:*                           6450/AdGuardHome
udp        0      0 192.168.1.1:54          0.0.0.0:*                           5438/dnsmasq
udp        0      0 127.0.0.1:54            0.0.0.0:*                           5438/dnsmasq
udp        0      0 192.168.7.135:54        0.0.0.0:*                           5438/dnsmasq
udp        0      0 192.168.10.1:54         0.0.0.0:*                           5438/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           5438/dnsmasq
udp        0      0 :::546                  :::*                                4779/odhcp6c
udp        0      0 :::547                  :::*                                5470/odhcpd
udp        0      0 :::53                   :::*                                6450/AdGuardHome
udp        0      0 ::1:53                  :::*                                6450/AdGuardHome
udp        0      0 fd5a:22b8:bb40::1:54    :::*                                5438/dnsmasq
udp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                                5438/dnsmasq
udp        0      0 ::1:54                  :::*                                5438/dnsmasq
udp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                                5438/dnsmasq
udp        0      0 fe80::58ef:68ff:fe0f:5750:54 :::*                                5438/dnsmasq
udp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                                5438/dnsmasq
udp        0      0 fe80::5aef:68ff:fe0f:5750:54 :::*                                5438/dnsmasq
root@mirror:~# netstat -ulpn

So, whats wrong here? I couldn’t find any documentation or other information in the net.
Which additional information should i add?

thanks

root@mirror:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5a:22b8:bb40::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'wan'
        option macaddr '5a:ef:68:0f:57:50'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '10'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config interface 'doc'
        option proto 'static'
        option device 'br-lan.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

root@mirror:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '1'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option macaddr '58:ef:68:0f:57:52'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option band '2g'
        option channel '1'
        option htmode 'VHT20'
        option disabled '1'
        option country 'US'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option macaddr '58:ef:68:0f:57:51'

root@mirror:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'
        option port '54'
        option noresolv '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '3,192.168.1.1'
        list dhcp_option '6,192.168.1.1'
        list dhcp_option '15,lan'
        list dns 'fd5a:22b8:bb40::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'doc'
        option interface 'doc'
        option start '100'
        option limit '150'
        option leasetime '12h'

root@mirror:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'doc'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'doc'

config forwarding
        option src 'doc'
        option dest 'wan'

config rule
        option src 'lan'
        option dest 'doc'
        option name 'sonne2mond'
        list dest_ip '192.168.10.200'
        option target 'ACCEPT'

You don't have multiple 127.0.0.1:853 entries in your AGH config ?

there is no entry with port 853

root@mirror:~# cat /etc/adguardhome.yaml
http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.1.1:3080
  session_ttl: 720h
users:
  - name: groot
    password: i am groot
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
    - 127.0.0.1
    - ::1
    - 192.168.1.1
  port: 53
  anonymize_client_ip: false
  ratelimit: 0
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns10.quad9.net/dns-query
    - tls://dns3.digitalcourage.de
    - tls://dns.digitale-gesellschaft.ch:853
    - https://dns.digitale-gesellschaft.ch/dns-query
    - '[//]192.168.74.33:54'
    - '[/lan/]192.168.74.33:54'
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  upstream_mode: load_balance
  fastest_timeout: 1s
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams:
    - 192.168.1.1:54
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  dir_path: /opt/adguardhome
  ignored:
    - webdav.hidrive.ionos.com
    - webdav.hidrive.strato.com
    - webdav.hidrive.ionos.com.lan
    - webdav.hidrive.strato.com.lan
    - stats.grafana.org
  interval: 24h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: /opt/adguardhome
  ignored:
    - webdav.hidrive.ionos.com
    - webdav.hidrive.strato.com
    - webdav.hidrive.ionos.com.lan
    - webdav.hidrive.strato.com.lan
    - stats.grafana.org
  interval: 24h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt
    name: Phishing URL Blocklist (PhishTank and OpenPhish)
    id: 1743425040
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
    name: Malicious URL Blocklist (URLHaus)
    id: 1743425041
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_50.txt
    name: uBlock₀ filters – Badware risks
    id: 1743425042
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt
    name: Steven Black's List
    id: 1743425044
whitelist_filters: []
user_rules:
  - ""
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: UTC
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    ecosia: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safe_fs_patterns:
    - /tmp/adguardhome/data/userfilters/*
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent:
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: IPad
      ids:
        - 10:cf:0f:df:6d:b6
      tags:
        - device_tablet
        - user_child
      upstreams: []
      uid: 01930347-c4d6-7bb0-8548-01d41011671d
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: child PC
      ids:
        - b4:2f:99:ea:72:9d
      tags:
        - device_pc
        - user_child
      upstreams: []
      uid: 0193033f-432a-771f-8293-10e7e23ea0fc
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: mobile
      ids:
        - 7b:b3:d8:1f:df:5b
      tags:
        - device_phone
        - user_child
      upstreams: []
      uid: 01930344-380f-7523-a761-bac09303790e
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: PC two
      ids:
        - a3:f1:5a:e2:ac:30
      tags:
        - device_pc
        - user_child
      upstreams: []
      uid: 01930341-c28a-7af1-9907-cafaa07a31d6
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: mobile two
      ids:
        - a2:4d:ad:f2:7a:33
      tags:
        - device_phone
        - user_child
      upstreams: []
      uid: 01930346-7a73-7568-8c9f-1a50220d8767
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: pc-arch
      ids:
        - 00:d2:a1:cb:ab:3a
      tags: []
      upstreams: []
      uid: 019726af-f6ba-7c1e-bf99-11b0bd348b55
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: false
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        ecosia: false
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: UTC
        ids: []
      name: win7pc
      ids:
        - ac:5c:b2:f3:1f:0e
      tags:
        - device_pc
      upstreams: []
      uid: 01930310-7fc9-79b9-b642-fbb2f0d4d152
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
log:
  enabled: true
  file: /opt/adguardhome/adguardhome.log
  max_backups: 3
  max_size: 100
  max_age: 3
  compress: false
  local_time: true
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 29

Based on the schema version, this is quite an old version of AGH. How did you install it? All the paths are non-default. Did you look at the process list to see what's there? I'd start with installing the OpenWrt package if possible.

Also you either bind to individual IPs, or 0.0.0.0.

What's in /opt? Are you writing your logs to flash? If so, don't.

the ADH wasn’t old - it was the current one from opkg. but the origin install was a long time ago, and the config was kept from the old installation.

So i removed everything (uninstall and delete everything regarding ADH in /etc, /opt/, /var/lib) and made a fresh install. There the encrytion setings worked, no error.

The diff was in the dns bind_hosts section from the new adguardhome.yaml: there was only a bind to 0.0.0.0

So tried this on my productive route (all here happend on a test router): removed every entry in dns bind_hosts but the 0.0.0.0: its working, no error.

thanks for the hint to the old installation.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.